Primary

Context

Qihui jtbc5 CMS Path Traversal Vulnerability in Code Endpoint

Vulnerability

A path traversal vulnerability has been identified in Qihui jtbc5 CMS version 5.0.3.6. The issue resides in the Code Endpoint component, specifically within the file '/dev/code/common/diplomat/manage.php'. This vulnerability allows authenticated attackers to manipulate the 'path' argument, bypassing restrictions intended to keep file access within the web root directory. Exploitation of this flaw enables the reading of arbitrary sensitive files from the server's operating system.

Impact

Exploitation of this vulnerability allows for arbitrary file reading from the server, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, send a request to the '/dev/code/common/diplomat/manage.php' file with a 'path' parameter that includes directory traversal sequences, such as '../'. This will bypass the application's directory restrictions and allow access to files outside the intended directory, such as system files like '/etc/passwd'.

Added: Apr 17, 2026, 1:41 PM

Updated: Apr 17, 2026, 1:41 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.2

exploitability

6.6

remediation

0.0

relevance

6.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.2

exploitability

6.6

remediation

0.0

relevance

6.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Qihui jtbc5 CMS Path Traversal Vulnerability in Code Endpoint

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating